I have seen many dictionary attacks on my ssh servers. I was thinking of a simple way to slow them down: Add a small delay to the login. Start with a half second, and double every time a password-based (or other) login fails from the same IP address, up to some limit. This requires keeping a small array in memory, with each IP address that has recently failed to log in, delay time, and a time stamp when a login from them will be allowed again. In a similar way, it should be possible to keep a time-out for each username, again doubling it. At a login, take the greater of the two delays. Both tables can be limited to (say) 10000 entries, and if they flow over, discard oldest entries. Actually, this could also be used for logins that do not try passwords, in case someone tries to brute-force something else... Possibly this is a well-known theory, and there is a well-known reason not to use it. If so, I'd like to hear about it.
This doesn't fit well with ssh's process model and would add quite a bit of complexity for pretty marginal gain. On the other hand, it could easily be implemented as a small program that watches logs and sets up firewall rules. Please see the extended discussion on this topic on the openssh-unix-dev@mindrot.org mailing list.
BTW it can also be implemented in the underlying auth systems that sshd uses, eg LinuxPAM has pam_fail_delay. See: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html#the-failure-delay-function and for a way to set this in the PAM config files: http://www.zip.com.au/~dtucker/patches/pam_faildelay.c
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.